Research

American Institutes for Research (AIR) (for Study of Deeper Learning)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 1/18/2023 – 4/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. For the Study of Deeper Learning, we examine the impact of attending a deeper learning network school on student outcomes, as well as relationships between opportunities for deeper learning and student outcomes. For these analyses, students are the unit of analysis. It is for this reason that we have requested student-level data. These data will not include student identifying information such as name or date of birth. However, student names and date of birth were collected from consent forms distributed to participating schools in the 2012-13 school year. We only have identifying information for students whose parents provided consent to participate in the study. This information is used to locate study participants and invite them to participate in a follow-up study. The study also administered a teacher survey in spring 2013, and so data also include individual teacher-level survey data collected by AIR.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Student-level data will be destroyed within five years of the completion of the study, which is currently scheduled to end on 11/30/2024. Student-level data will be maintained for five years to assist with the completion of manuscripts for scholarly journals and to allow for the possibility of securing additional funding to continue the Study of Deeper Learning.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. AIR has established in the Microsoft Azure Commercial Cloud its Secure Project Portal – Restricted Desktop (SPP-R), an enterprise-grade information enclave protected by a Next-Generation Firewall and comprised of hardened servers and infrastructure configured and maintained by AIR staff. This environment includes strong encryption in transit and at rest, rigorous access controls, and other security measures developed to meet the requirements of NIST 800-171 for Controlled Unclassified Information (CUI). All PII for this project will be stored and processed in SPP-R.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

American Institutes for Research (AIR) (for Computational Thinking in Middle School Science)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 10/18/2023 – 9/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The American Institutes for Research (AIR) has partnered with the New York Hall of Science (NYSCI) for a federal grant on an evaluation of The Pack, an interactive, open-ended, exploratory digital game in which players engage in computational thinking and scientific reasoning to solve problems encountered in a novel environmental context. As part of the evaluation, AIR is examining the impact of The Pack on New York City middle school students’ engagement in computational thinking and their computational thinking skills. AIR will request students’ demographic data and prior achievement data to determine whether impacts of The Pack differ as a function of student characteristics.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Applied Curiosity Research (for Fast Track to College & Career Program Evaluation: Final Report)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 10/25/2022 – 10/1/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Applied Curiosity Research is evaluating the efficacy of the Fast Track to College & Career (FTCC) pilot program taking place at 11 NYC DOE schools. FTCC was funded by the US Department of Education Perkins Innovation Grant to improve outcomes of students in participating NYC DOE Career and Technical Education (CTE) high schools by offering courses and activities aligned to their career pathway through CUNY’s College Now (CN) program. The program is designed to improve the transition of students from secondary education to postsecondary education by redesigning the high school experience to include dual enrollment courses as early as the 10th grade, and continuing through a structured sequence of college credit and work-based learning activities in 11th and 12th grade. We are requesting student scrambled data from the 11 FTCC schools and 13 control schools so we can compare outcomes and determine the impact of the program. We will need to limit our analysis to CTE-eligible students that entered 10th grade in 2019-2020 at one of 11 FTCC or 13 control schools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor and using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

Center for Innovation through Data Intelligence (for YouthNPower Direct Cash Transfer Pilot Evaluation)

Type of Entity: Government Agency

Contract / Agreement Term: 11/30/23 – 5/31/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The outcome evaluation of the youth receiving cash assistance will use a quasi-experimental design which will include a stratified sample of youth who have aged out of foster care. One group of youth will obtain the cash assistance lottery and will be matched, via propensity score, with a group of similar non-program youth based upon the following characteristics: age, race, ethnicity, gender, time in foster care, aged-out status, type of maltreatment, and type of care. Subsequently, we will compare the outcomes of the two groups. PII will be required to match program and non-program youth to Administration of Children's Services, Department of Corrections, Department of Homeless Services, Department of Education, Human Resources Administration, Department of Labor, Statewide Planning and Research Cooperative System, and Department of Youth and Community Development data to assess the impact of the intervention on their outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Change Impact (Extended School Day/School Violence Prevention Evaluation 2022-23)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 8/31/2023

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This study will support continuous improvement of these NYSED-funded ESD/SVP programs. The evaluation report includes findings and recommendations for improvement to strengthen student services, which ultimately aims to improve student academic, social/emotional, and physical development outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

College Access: Research and Action (CARA)

Type of Entity: Research or Evaluation Institution or University

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The mission of College Access: Research and Action (CARA) is to ensure first-generation-to- college, students of color, and low-income students in underserved New York City communities have the knowledge and support necessary to enroll in and graduate from college. CARA’s programs help transform the culture of schools by training a wide range of youth and adult staff to support students to and through college. CARA is dedicated to producing rigorous program evaluation and meaningful research to inform public policy regarding the post-secondary access, matriculation, persistence, and graduation of students attending under-resourced New York City Department of Education (NYC DoE) high schools. CARA has worked in over 100 NYC high schools since the 2010-11 school year. To evaluate the effectiveness of our programs, we are requesting access to data for these schools and their comparisons beginning in the 2009-10 school year to the most recent school year available. We plan to address the following questions: 1. Does attendance at a high school that receives CARA programming affect students’ college matriculation, type of college attended, and college persistence as compared to students who do not receive CARA services? Do these school-level effects hold after controlling for student-level characteristics? 2. Do CARA programs vary in their effect on students’ post-secondary outcomes? 3. Do program effects vary by student subgroups of race, gender, income, and parents' education level?

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor and using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

Columbia University (for The Impact of Bias in School Choice)

Type of Entity: Research or Evaluation Institution or University

Contract/Agreement Term: 11/8/2022 – 11/8/2024

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Evaluation of the outcome of the current procedure for matching students to public high schools in NYC, with the goal of understanding its strengths and weaknesses and eventually propose suggestions for improvement.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

Cornell University, on behalf of Nikhil Garg (for How Do Students Decide Which Schools to Apply to)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 7/20/2023 – 6/1/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We are conducting research on how students and families navigate the high school application process. To conduct this research, we would like to analyze individual-level school preference data to identify patterns and limitations in how students choose which schools to list.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor (e.g. Microsoft Azure) and using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

City of University of New York (CUNY)

The exclusive purposes for which Protected Information will be used: The course and exam data provided by the DOE will serve as applicants’ official high school transcripts and be used to evaluate applicants’ admissibility to the CUNY colleges to which they have applied. CUNY will use the biographical data provided by the DOE to match the academic records provided by the DOE to CUNY applications.

CUNY will use immunization records provided by the DOE as proof of students’ immunization status, as required for college enrollment.

CUNY will use the research dataset solely for research projects designed to improve instruction or program administration at CUNY colleges.

How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Access to the biographical, course, and exam data files will be limited to the staff of CUNY’s University Application Processing Center, who are informed of their responsibilities for handling personally identifiable data in writing and required to sign data use and access agreements.

Access to the Research Data Set will be limited to employees of CUNY’s research offices, who are informed of their responsibilities for handling personally identifiable data in writing and required to sign data use and access agreements.

In addition, all employees in these offices must acknowledge, by signature, receiving a copy of the University’s Policy on Acceptable Use of Computer Resources and IT Security Policies.

When the agreement expires and what happens to Protected Information upon expiration of the agreement: This agreement expires on December 31, 2028. CUNY can purge DOE data if requested by the DOE due to the expiration or termination of the Memorandum of Understanding.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, CUNY will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.

Where the Protected Information will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted: Data provided by the DOE will be stored and protected in a manner consistent with other CUNY confidential, personally identifiable, and protected health data. Common security controls include firewall, intrusion prevention, limited authorized access, and data center physical security. The data is encrypted during transmission.

City of University of New York (CUNY), on behalf of Brooklyn College (for CUNY Reading Corps Tutoring Evaluation)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 12/1/2023 – 12/1/2024

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Student OSIS numbers were provided to the researchers when assigning students to tutors during the program. This is the only PII available and that will continue to be required in order to link students to scores and track students overtime. Any demographic data used to develop a matched sample can be screened prior to transferring the data to us if needed. They will not be required for the primary analysis and are only being used to create a comparison group and ensure balance in terms of characteristics between the two groups.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

DAH Consulting, Inc.

The exclusive purposes for which PISI will be used: Evaluation of 21st CCLC program at schools identified.

How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: All employees, persons, etc. have an NDA with DAH which indicates that they will abide by data protection and security guidelines established by the organization. 

When the agreement expires and what happens to PISI upon expiration of the agreement: After 5 years when study ends we will destroy research records remembering to protect participants' confidentiality throughout the process. Paper records will be shredded and recycled, instead of carelessly tossed in the garbage. Records stored on computer hard drive should then be erased using commercial software applications designed to remove all data from the storage device.

[NYC DOE additional information: The current agreement became effective starting on December 4, 2018 and remains effective through the period during DAH Consulting, Inc. possesses or otherwise is in control of covered protected information and no later than December 4, 2025.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov.]

Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: We intend to use minimal-identifier data as often as possible and minimize risk by maximizing work "within network".

Other controls will be to manage release of identifier-data at source/ identification of a "Gatekeeper" and tracking data releases using an approval process and documenting and creating logs.

We will also remove all personally identifying information from data, replacing identifiers with a new unlinked, identifier, which cannot be associated with an individual study participant.

NYC DOE Additional Information: Certain portions of this response have been redacted to protect the privacy and/or security of data and/or technology infrastructure.

Double Line (for Bill & Melinda Gate Foundation Networks for School Improvement)

Type of Entity: Commercial Enterprise

Contract / Agreement End Date: 8/30/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The Bill and Melinda Gates Foundation’s Networks for School Improvement (NSI) portfolio supports organizations that bring groups of middle and high schools together to advance high school graduation and college success rates for their Black and Latino students and students experiencing poverty. The Foundation works with Double Line to collect de-identified student level data directly from NYC DOE and shares the data (in aggregate form) with the NSI partners and the Foundation in order to help with Target Setting and overall grant reporting. De-identified student level data will be used to measure the effectiveness of the Project in achieving its overall goal of improving outcomes for Black, Latino and low-income students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Duke University (for School Assignment by Match Quality and School Choice and Housing Market)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 4/25/2024 – 4/25/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The data will be used for two ongoing projects, titled “School Assignment by Match Quality” (2335) and “School Choice and the Housing Market” (2360).

Standard assignment systems implement district policies by sorting applicant into coarse priority groups based on criteria such a siblings’ enrollment status, family income. However, these systems do not account for finer policy objectives, such as reducing total commuting time to schools, matching students and schools based on fitness of the match, assigning more children to their higher ranked choices while respecting other policies implemented via priorities.

We develop novel assignments systems that will empower school districts with the ability to consider and implement such broader policy objectives. We aim to assess the performance of our solution empirically with the NYC data.

The housing market plays a role in access to schools. Even when parents are allowed to choose schools outside of their neighborhoods, their schooling options are closely tied to their residential choices: families prefer schools near their homes, and schools' prioritize applicants from the neighborhood. We use NYC data to evaluate the impact of residential choice in a unified framework of school choice and housing market.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Education Development Center (for Equitable Computer Science Implementation in all NYC Schools)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 10/20/2023 – 9/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Education Development Center (EDC) and the New York City Department of Education (NYCDOE) are engaged in a research–practice partnership (RPP) to enhance and study the implementation of high school Advanced Placement (AP) Computer Science Principles (CSP) courses, particularly in low-performing NYC schools. The work of the RPP responds to a persistent problem of practice in NYC schools—the successful implementation of AP CSP in low-performing schools. The intended outcomes of this work are improved student enrollment and attendance in AP CSP, increased student CS knowledge, and greater percentage of students taking and passing the AP CSP exam, in particular, for female, Black, and Latinx students. PII data will be used to look at trends in these outcomes over time for NYC schools and provide guidance for NYCDOE efforts as they target support for schools offering AP CSP.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Glass Frog Solutions (for Evaluating the Impact of the School of Interactive Arts on Students' AP Computer Science Principles Participation and Scores)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 1/20/2023 – 12/31/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We are conducting a program evaluation of the School of Interactive Arts (SIA) program, which received a federal Education Innovation & Research (EIR) grant to implement and evaluate the program in NYC public schools. The goal of the program is to use a curriculum based in video game design to increase students' interest in computer science. The program partners with schools offering the AP Computer Science Principles course, and the SIA program works to encourage students to take additional computer science coursework and eventually take the AP Computer Science Principles exam. The long-term goal of the SIA program is to increase access to computer science majors and careers for students belonging to under-represented groups. The evaluation will assess whether the program was successful in encouraging students to take the AP Computer Science Principles course and ultimately pass the AP Computer Science Principles exam. We will draw on students' deidentified course and test score data to determine whether the program met these goals.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

Glass Frog Solutions (for Estimating the Impact of GO Project NYC on Student Attendance and Academic Performance)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 10/13/2023 – 12/31/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This data request is part of an ongoing evaluation of GO Project's impact on student outcomes. GO Project partners with NYC schools to provide supplemental services to students with special education classifications and/or who are performing below their peers. Their goal is to help students become proficient and eventually excel at school. We want to use data from the NYC DOE to determine how GO Project students are faring, relative to their peers districtwide, on outcomes including attendance, academic performance, and eventually on-time graduation. We will compare outcomes among GO Project students to outcomes among students districtwide, which we will obtain from publicly available datasets. Both GO Project and their partners want to ensure that students are making progress and that the investment is having an impact on students' short- and long-term outcomes. This will enable both schools and GO Project to determine how they allocate resources going forward.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

President and Fellows of Harvard College (for The Impact of Suspension on Student Outcomes and the Racial Achievement Gap)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 7/1/2023 – 7/1/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This research studies the effect of a 2012 policy reform in New York City public middle schools that eliminated suspensions for non-violent, disorderly behavior. Using anonymized student data (PII), we estimate the causal effect of reducing suspensions on student test scores and measures of school culture.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

President and Fellows of Harvard College (for Understanding the Impacts of Gifted and Talented Programs)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement End Date: 06/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. To study the characteristics of students who apply for and enroll in NYC Gifted and Talented Programs and any related impacts of eligibility and enrollment on these students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Laurus Grant-Writing & Evaluation Services (for 21st Century Community Learning Centers Year 5)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 8/23/2022 – 8/23/2024

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Laurus is serving as the evaluator of the 21st Century Community Learning Centers program grants awarded to NYC Community Schools Districts 4, 10, 12 and 24, as well as those grants awarded to the following community-based organizations: New York Edge, Partnership with Children, Academics in Motion (AIM) and PowerPlay NYC. These grants mandate that an “outside” evaluator assess data to determine if the program has any effects on students that participate; this data includes attendance records and academic results such as report card grades and assessment results. The data we are requesting is de-identified – we only have to report general findings and trends – we never report on individual participants or reveal any identifying information.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

Massachusetts Institute of Technology (MIT) (for "The Comprehensive Data Request for MIT SEII” & “Peer Exposure Effects on School Preferences” & “How School Accountability Affects School Choice” & ‘Pipelines and Equity in Gifted and Talented Programs”)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 2/22/2022 – 2/27/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII.

NYCDOE uses a matching algorithm designed by Abdulkadiroglu, Pathak, and Roth to match students to schools according to preferences and priorities. The adoption of centralized assignment has enabled improved school impact evaluations. Led by Parag Pathak, MIT's Blueprint Labs has developed pioneering new methods to enable an analyst to fully exploit all randomization generated by centralized assignment. We are pursuing several lines of inquiry related to this work in New York City.

We plan to study how exposure to a diverse set of peers in early stages of education affects school preferences at later stages. A student’s peers at school may leave an indelible mark on how they see themselves, how they see others, and their social preferences. We therefore plan to evaluate whether attending a school with more diverse peers influences a student and her family’s preference to enroll in a more diverse school in the future, as measured by the child and her family’s choices of school in later years, and to understand the mechanisms driving these patterns of school choice.

We are conducting observational research on student educational records. We aim to investigate the interplay between the design of school accountability systems, families’ information about schools and school choice. We require the PII to evaluate the effects of the introduction and later removal of letter grades from school reports on patterns of school applications, enrollment and student achievement, by comparing changes in demand for schools before, during and after the removal of letter grades.

The overall purpose of our research is to, first, evaluate the impact of elementary school gifted and talented programs on subsequent educational experiences, particularly for low-income and racial minority students, and second, to assess potential gifted and talented implementation policies for addressing pipeline issues in selective schooling programs. To do this, we will use the random variation generated by gifted and talented program assignment rules to estimate the effect of admission and attendance to these programs on the types of schools that students attend in the future. In addition, we will consider the effects of various program policies – such as Diversity in Admissions policies, program expansion, and the use of tests in admissions – on the diversity of the groups of students in the programs and whether the students who enroll in the programs are those who will benefit the most. We will therefore be able to assess the potential of gifted and talented programs to address pipeline issues in NYC schools, and how this is impacted by program admissions policies.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

Mathematica Policy Research (for Impact Study of Federally-Funded Magnet Schools)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 3/4/2024 – 5/25/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The U.S. Department of Education is sponsoring a study to evaluate the Magnet Schools Assistance Program (MSAP). The impact evaluation measures the effects of MSAP schools on student achievement and school diversity, using a lottery-based random assignment design. The impact study data collection makes it possible to estimate the impact of admission to a magnet school on:

  • student achievement and other available academic outcomes
  • school environment, including exposure to a more diverse set of peers.

The study also examines whether features of MSAP schools are associated with greater success which could inform future program improvement efforts.

The requested student level data will be used to identify where students who applied to MSAP-funded schools enrolled in the years following application. Additionally, data requested on student outcomes (achievement and other measures of success) will help the study team answer research question of the impact of admission to the magnet program on student academic outcomes. After linking student data, we will drop all PII, and assign students an anonymized research ID in our analytic files. Ultimately, the final study will be included in a publicly distributed report that presents aggregated findings across all MSAP-funded schools nationwide.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

MDRC (for Impact Evaluation of Academic Language Interventions)

Type of Entity: Research or Evaluation Institution or University

Contract/Agreement Term: 9/25/2015 – 12/31/2022

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Data will be analyzed for the Impact Evaluation of Academic Language Intervention, a research study which began in 2015 to assess the impact of an academic language program on student language and reading skills. This study is funded by the U.S. Department of Education (Contract No. ED-IES 15-C-0050) and led by MDRC, a nonprofit research organization.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: For the final phase of the evaluation, the study team will create a de-identified student-level restricted-access file for use only by qualified researchers for approved research projects, as required by the study funders (ED). The restricted-access file will include student-level data collected for the study, including student records.

To reduce disclosure risk, the study team will remove all direct identifiers from the restricted-access file, including the names of states, districts, schools, and students, physical addresses, and contact information. District, school, and student names will be replaced with randomly generated ID variables. We will also remove original and calculated variables that are not useful for research purposes. After creating the deidentified student-level file, the study team will securely delete the underlying identifiable student-level data.

MDRC will submit the restricted-access file to the data archive maintained by the Department of Education’s Institute of Education Sciences (IES). The restricted-access file will be available only to qualified researchers who agree to the confidentiality and data security requirements established by the U.S. Department of Education. Once IES has accepted the restricted-access file, MDRC will destroy all other files received from the DOE, as well as crosswalks that link actual IDs to the randomly constructed ID, by deleting the data from our secure servers.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

MDRC (for Examining Effects of Social-Emotional Learning on Outcomes Through High School and Beyond: A Follow-Up Study of INSIGHTS)

Type of Entity: Research or Evaluation Institution or University

Contract/Agreement Term: 2/28/2023 – 6/30/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The aim of the proposed study is to conduct a long-term efficacy follow-up of INSIGHTS into Children’s Temperament (INSIGHTS). Findings from the original cluster randomized trial of INSIGHTS implemented in kindergarten and first grade in schools serving students from low-income families (2008 – 2012) revealed positive short-term treatment impacts on children’s literacy, math, sustained attention, and behavioral skills. Follow-up data demonstrated sustained impacts on target outcomes through sixth grade. Although these medium-term impacts are promising, questions remain about whether INSIGHTS does continue to benefit children as they move through adolescence, as well as the mechanisms through which the program generates long-term outcomes, the students who benefit the most from the intervention, and the implementation and school-level factors that are critical to promoting sustained impacts. The proposed study will estimate long-term effects of INSIGHTS on students’ academic, social-emotional, and behavioral outcomes from 7th to 12th grade and during the transition to college. The study will explore how INSIGHTS promoted long-term outcomes, for whom, and under what circumstances. Findings will provide information on whether early investments in SEL yield benefits for students through high school and beyond.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

MDRC (for New York City Small Schools of Choice)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 1/25/2024 – 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Beginning in 2002, the New York City Department of Education (NYCDOE) closed many large, comprehensive high schools with a history of low performance and created hundreds of new small secondary schools. These schools were required to implement curricula and school structures that promoted academic rigor, knowledge relevant to the real world, and personalized relationships, and they received funding and policy supports from NYCDOE and community partners. Because these small schools are located in the communities they intended to serve, do not screen students based on their prior academic achievement, and thus represent a realistic small school option for many students who previously did not have one, MDRC researchers call these new schools Small Schools of Choice (SSCs).

MDRC will use NYCDOE data to examine how SSCs affected students’ secondary and postsecondary education outcomes, such as high school graduation and postsecondary degree attainment. We will also study which components of SSCs had the most influence on student outcomes, as well as whether certain groups of students were more likely to benefit from enrolling in SSCs. To meet these research goals, we plan to compile data on study students for at least six years past high school graduation (a benchmark which has become the standard among major postsecondary databases, such as NCES). We will also use earlier years of data to study how students’ prior academic achievement affects the effectiveness of SSCs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor (i.e. Amazon Web Services GovCloud).

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Metis Associates (for Evaluation of New York City's Summer Rising 2022 Program and Evaluation of New York City’s Summer Rising 2023 Program)

Type of Entity: Commercial Enterprise

Contract / Agreement Term:

  • Evaluation of New York City's Summer Rising 2022 Program: 8/25/2022 – 6/30/2023
  • Evaluation of New York City’s Summer Rising 2023 Program: 8/22/2023 – 8/23/2024

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The purpose of this research study is (1) to characterize the Summer Rising participants, (2) to determine whether the program is reaching its intended audience, and (3) to determine if programming is having an effect/impact on academic outcomes. PII data are required to match and control for possible covariates between participants and comparisons, as well as to characterize the population served by the program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Metis Associates (for projects in 2023-2024)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/1/2023 – 7/1/2024 for the following research projects:

  • Community Change Inc. 21st Century Community Learning Centers Program
  • The Center for Educational Innovation’s Education through Art (AAEDD)
  • Evaluation of the United Community School Program
  • Evaluation of the UFT Full-Service Community Schools (FSCS) Program Grant
  • The Center for Family Life in Sunset Park (CFL)
  • Education through Music (ETM)
  • Lehman Urban Transformative Education in STEM Project

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII.

Community Change Inc. (CCI) 21st Century Community Learning Centers (21st CCLC) is a New York State funded initiative that will use student level data to determine whether the project is meeting its objectives and performance targets, and will include student demographics, attendance, behavioral incidents, report card/transcript data, graduation data, and standardized assessment results.

The Center for Educational Innovation (CEI) Assistance for Arts Education Development and Dissemination (AAEDD) is a United States Department of Education funded grant that will use student demographic, assessment, attendance, and SEL data in a rigorous comparative quasi-experimental design (QED) to determine initiative impacts.

The evaluation of the United Federation of Teacher’s United Community Schools (UCS) initiative will use student demographics, attendance, behavioral incidents, and standardized assessment results in a rigorous comparative quasi-experimental design (QED) to determine initiative impacts.

The federally funded Full-Service Community Schools (FSCS) program grant includes three of the United Federation of Teacher’s United Community Schools (UCS) and will use student demographics, attendance, behavioral incidents, and standardized assessment results to determine the effects that funding has had on student outcomes.

The evaluation of the Center for Family Life in Sunset Park (CFL) includes programming at six neighborhood public schools and will utilize student demographic, attendance, and achievement data to determine whether its program offerings are associated with positive outcomes.

The evaluation of Education through Music (ETM) will utilize student demographic, attendance, achievement, and SEL data in a rigorous comparative quasi-experimental design (QED) to determine initiative impacts.

The Lehman College Urban Transformative Education in STEM (LUTE-STEM) project will use student demographic, attendance, and academic assessments to determine whether the program is positively associated with student outcomes.

Type of PII that the Entity will receive/access: Student PII and Staff PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Upon expiration or termination of the Agreement, the Organization shall securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor and using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

Metis Associates (for Evaluation of NYCPS High-Impact Tutoring Initiative)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 5/8/2024  – 4/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The evaluation of the NYCPS High Impact Tutoring initiative is designed to gather information about the implementation and impacts of the program, which provides high impact tutoring services to students in grades K-9. One aspect the evaluation will examine is which students are being served by the initiative and how participation varies by student demographics. The PII will be used to produce propensity scores which will then be used to develop 1:1 matches to non-participating students citywide.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

National Education Equity Lab (for Exploratory Study of the Impact of the National Education Equity Lab College-in-High School Model in NYC Schools)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 8/9/2023 – 8/9/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The purpose of the proposed study is to gather exploratory evidence regarding the Ed Equity Lab participating student population, their backgrounds as well as their postsecondary outcomes. Student demographic data is required to describe the population of students engaged in Ed Equity Lab courses, while it is also required to control for pre-existing differences between students when trying to estimate the program’s impact on students’ postsecondary outcomes. All reporting of results will be done at the aggregate program level. There will be no reporting of individual level results or data.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

New York University (NYU) (for The School Choice Policy Research Center – Improving Policy, Implementation, and Outcomes for Disadvantaged Students)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 5/24/2022 – 5/24/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The study examines the impact of transportation options on school choice and student outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

New York University (NYU) (for Strengthening School Readiness through Pre-K for All: A University-District Partnership)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 1/24/2023 – 8/31/2027

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We are requesting individual level student data detailed earlier, and the NYC DOE considers all student-level data to be PII. In addition, we are requesting for a document linking the DOE-created random ID (in the de-identified dataset) to the child's name, making the data identifiable for the participants’ who consented to the data and records release question on the consent form.

We are requesting for a document linking the DOE-created random ID (in the de-identified dataset) to the staff members’ name and email address (or DOE “external account” for NYCEEC staff), making the data identifiable for the participants’ who consented to the data and records release question on the staff consent form.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies. As stated in the consent form, the research team will store identifiable information (e.g., names and contact information) for future follow-up research purposes by the NYU research team for four years following the completion of this study. After this, data consisting of participant identifiers and documentation connecting participants to personal information will be deleted. This data includes consent forms and any other materials that contain personal identifiers, and the file that links participant research IDs to name/DOB. The identifiable electronic data will be permanently deleted by research staff with access to the password protected server, and trash will be cleared. In-person research staff will retrieve hard copy data from locked storage space and shred.

De-identified data (data without and identifiers like names and contact information) will be kept indefinitely.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution. After downloading the data via the DOE’s secure FTP server or the Research Alliance for NYC School’s secure FTP server, identifiable electronic data will be stored on secure, encrypted server space allocated by NYU Steinhardt. Data will be accessible only to NYU research staff involved in this project via their NYU username and password. The server is only accessible to NYU staff who are granted access by their unique NYU ID. Login requires staff to enter their NYU account password and multi-factor authentication. The server is also only accessible using NYU’s network.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

New York University (NYU) (for NYU College & Career Lab: Long-Term Academic Achievement Outcomes)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 2/8/2023 – 2/8/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We are evaluating the academic achievements students that apply to the CCL program. To address the issue of examining long-term academic outcomes, we plan to use DOE updated administrative data from the Research Alliance for New York City Schools (RANYCS) and measure it against the NYS Report Card data to calculate impacts on medium-term effects, such as middle school test scores, attendance, and participation in New York City’s high school application system (the largest choice-system in the nation), to longer-term effects such as high school course-taking, graduation, and transition into university. The use of administrative data that is collected by NYC DOE will provide the opportunity for early reporting on student outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

New York University (NYU) (for NYC Partnership for Math Equity Project)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 3/20/2023 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The goal of this study is to understand whether and how exposure to supplemental collaborative math activities enhances students' conceptual understanding of math, particularly for Black and Latinx students and students experiencing poverty. Amplify Desmos Classroom ("the platform") is a platform for learning and teaching mathematics and other subjects. The platform encourages diverse expression of student mathematical knowledge and extensive collaboration among students and between teachers and students. Teachers are able to determine the pacing of lessons, when to bring students together for discussion, what questions to pose, and what anonymized examples of student work to highlight to the class. The Amplify Desmos math curriculum is based on Illustrative Mathematics. For the Math Equity Partnership, a set of lessons aligned to the New York State Foundational Standards for grades 6-8 will be made available to teachers in approximately 50 schools. Teachers will implement these lessons during the 2023-24 school year in a variety of ways, including small-group and whole-class instruction, to provide students access to grade-level math content within an interactive and collaborative digital environment. Teachers will receive onboarding, ongoing virtual and in-person coaching, and micro-professional learning experiences (PLEs) embedded within the platform. We will conduct a mixed-methods exploratory study to understand how teachers use the supplemental lessons to support students' ability to articulate important math concepts and to foster a sense of joy, math belonging, and positive math identities. We hope to understand the range of ways teachers employ the supplemental lessons and how and whether the lessons support culturally responsive and sustaining math instruction, a core goal of NYC Public Schools' vision for mathematics.

Our research design involves teacher-level and student-level data generated and recorded on the Amplify Desmos online learning platform. Our understanding is that data generated and recorded on the Amplify Desmos platform is considered educational record data under FERPA. We understand that as an organization directly contracted by NYCPS to conduct studies on its behalf, PRE qualifies for an exemption to FERPA disclosure rules under 34 CFR § 99.31.

PRE has subcontracted with the Research Alliance for NYC Schools (RANYCS) to handle identifiable administrative and platform data. Upon NYCPS approval, Amplify will securely transfer student-level and teacher-level platform data to RANYCS. RANYCS will create a matched dataset including administrative data, following all data security procedures. PRE will submit data requests to NYCPS through the regular process and, upon execution of a non-disclosure agreement, receive de-identified data sets from RANYCS. Amplify has data-sharing agreements and an ERMA in place with NYCPS. PRE’s ERMA is in progress.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Ohio State University (for Effects of Neighborhood Characteristics and Commute Times on High School Students' Academic Outcomes)

The exclusive purposes for which Protected Information will be used: The Protected Information will be used solely to conduct a rigorous, statistical analysis designed to inform constituents and policy-makers associated with NYC public schools as well as a broader audience of policy-focused social scientists.

How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Only individuals mentioned in the application to the NYCDOE will have access to the education data. All individuals have read through the data use agreements, and have agreed to follow all security protocols.

When the agreement expires and what happens to Protected Information upon expiration of the agreement: We will remove the Protected Information provided to us by NYC’s DOE by having an Ohio State University IT specialist securely shred the hard-drive on which the data are stored, following a standard University protocol for removing confidential data.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.

Where the Protected Information will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted: The Protected Information will be stored on a computer owned by the Department of Economics at Ohio State University. The computer will be stored in a locked, private office accessed only by the researchers named on this project and the Department’s IT specialist, and will have the following security features:

  • Windows 10 Enterprise with latest patch set. Patch schedule is bi-weekly.
  • Network single user login enforced by Active Directory.
  • Remote access protected by gateway with 2-Factor authorization. (Duo Mobile), Data copy between clients is restricted.
  • 180 Day Password change policy enforced by central Identity Management Minimum standards: 8 Char including 3 of Uppercase. Lowercase, Numerals, or Special characters. Dictionary words are prohibited. User accounts can be remotely disabled.
  • 15 Minute inactivity lockout.
  • Full disk encryption using Bitlocker
  • Malware/Virus on-access, and scanning protection using managed Falcon Prevent (Crowdstrike).
  • Network traffic protection and restriction via host and perimeter firewall.
  • System log collection and visualization via Splunk.
  • Clients scanned regularly for vulnerabilities using Nessus.
  • Hard drive shredded by college service at completion of project.

Policy Studies Associates (for NYC Math Case Study Evaluation)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 1/1/2024 – 9/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Policy Studies Associates is conducting evaluation case studies of the implementation of NYC Reads - Grade 9 Algebra.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Research Alliance for New York City Schools (for Evaluation of Practice Makes Perfect Summer Program in New York City: COVID Update)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 7/1/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This project will evaluate the impact of a large virtual summer learning program offered by the Practice Makes Perfect (PMP) organization to NYC public school students during the “COVID summer” of 2020. PMP’s broader mission is to address summer learning loss through academic enrichment, tutoring, and mentoring. In 2020, PMP provided an online summer program at no charge to approximately 5,000 NYC students. PMP worked with the research team to randomly invite participants from the more than 10,000 who applied. This random assignment will facilitate a rigorous impact evaluation of the offer to participate. The research team will estimate the impact of the program on students’ short and longer-term academic outcomes..

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies. As the service provider, Practice Makes Perfect will maintain possession of its original list of applicants and participants (which includes PII). The analytic database created using a fuzzy match between the PMP applicant list and NYCDOE data will be destroyed at the end of the project in accordance with the signed NDA. The project will be considered complete after publication of the team’s final report. Note that RANYCS standing data is governed by a separate agreement between the NYCDOE and RANYCS.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

RAND Corporation (for Evaluation of the Long-Term Effects of Retention under New York City’s Student Promotion Policy)

Type of Entity: Not-for-Profit

Contract / Agreement Term: 11/14/2022 – 11/14/2024

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The data will be used exclusively for the evaluation of the long-term effects of student grade retention under New York City's student promotion policy in effect between the 2003-2004 and 2011-2012 school years.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

Research Triangle Institute (RTI) (for High School and Beyond 2022, HS&B:22)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 9/15/2022 – 7/31/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The High School and Beyond 2022 (HS&B:22) study will be the sixth in a series of longitudinal studies at the high school level conducted by the National Center for Education Statistics (NCES), within the U.S. Department of Education. These studies play a critical role in education, providing a rich variety of data to answer questions about how students’ backgrounds and school experiences affect education and life outcomes. HS&B:22 is being conducted by RTI International under contract to NCES.

To identify which students will be invited to participate in HS&B:22, RTI will request a roster of students enrolled in ninth grade during the 2022-2023 in each participating school.

We will request a complete roster of all ninth-grade students, including key student characteristics, such as: name; ID number; month and year of birth; grade level; sex; race/ethnicity; and English Language Learner (ELL) status. As part of the roster collection, RTI will also request the following information for each student: student’s math teacher and math course information; and student’s parent and/or guardian name and contact information.

We will work with districts/schools that are unable to provide all of the information to obtain the key information allowable and needed for sampling. We will provide a sample template and instructions to upload rosters to the secure NCES website.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Student data are subject to strict protections that are adhered to by NCES and its contractor organizations. Unused roster information will be securely destroyed when no longer needed for the purposes specified in 34 CFR § 99.35. Due to the longitudinal nature of HS&B:22, sampled students are followed over an extended period of time (possibly into college and beyond).

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. NCES has a secure data transfer system, which uses SSL technology, allowing the transfer of encrypted data over the Internet. The NCES secure server will be used for all administrative data sources. All data transfers will be encrypted. HS&B:22 data files and systems that contain PII or direct identifiers will reside in RTI’s sophisticated FIPS Moderate VDI. This network operates as a separate structure within the overall RTI computing infrastructure to provide additional security for data and to encrypt all network traffic with Federal Information Processing Standards (FIPS) 140-2 verified encryption tools. RTI uses Microsoft SQL servers to store non-sensitive project information. User-level access to these servers for authorized users is controlled with the same credentials needed for network and file access within each of the RTI networks.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

Teachers College, Columbia University (for Segregation Between and Within New York City Middle Schools)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 7/6/2023 – 5/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This study examines the extent of between- and within-school segregation in NYC middle schools in each of the 32 CSDs, prior to and following the removal of academic screens for admissions. The study relies on administrative data on individual students to describe between- and within-school social and academic segregation.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

Teachers College, Columbia University (for Evaluating Robin Hood's Accelerating Student Success and Learning + Technology Fund Initiatives)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 9/15/2023 – 9/15/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. This data request is part of two related mixed-methods studies exploring three theories on how external school support organizations can build schools’ capacity to increase student learning. The Robin Hood Foundation funded external support organizations to provide NYC schools with services in alignment with each of the following three types of capacity building: first, increasing human capital by providing tutors for students; second, increasing human capital by providing teachers with professional development; and third, increasing technical capacity by providing teachers with high-quality instructional materials. The goal of the study is to understand the impacts of the Initiative-funded approaches and to determine where and how they work well in order to promote learning, improvement, and uptake of effective practices across NYC districts, schools, and support organizations. To do this, we will seek to answer the following research questions:

  • Do students who experience these Robin Hood-funded interventions gain more literacy and/or math skills compared to students who do not?
  • How do these effects differ across student characteristics, school contexts, intervention type, and implementation strategy?
  • How do schools (including school leaders, teachers, families, and RH partners) develop, implement, and experience these interventions?
  • How are these experiences related to impact?

The qualitative components of the study have been approved by the New York City Institutional Review Board under protocols 4066 and 4728.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Theo Pippins (for Academic Acceleration Sprint Analysis)

Type of Entity: Sole proprietor

Contract / Agreement Term: 5/1/2023 – 11/15/2023

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Theo Pippins will support data analysis for the Academic Acceleration sprint. Tasks include, but are not limited to: developing/revising research questions; supporting the creation of data collection tools; assisting with data collection efforts; leading data cleaning and analysis using platform usage data, screener data, and state exam data; summarizing demographic characteristics of school communities; identifying trends, patterns, or relationships between interventions and test results; and preparing data visualizations.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Organization.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

University of Chicago (for The Evolution of the Charter School Sector)

Type of Entity: Community Based Organization or Not-for-Profit

Contract/Agreement Term: 9/29/2022 – 9/29/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. I will be examining the evolution of the charter school sector in NYC and how quality has changed as the sector has expanded. My measure of quality will be calculated using student level test scores, which is why I need access to PII.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

University of Chicago (for Efficient Matching in the School Choice Problem)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 2/21/2023 – 2/21/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We are studying different algorithms in the high school match problem and use the NYC data to empirically get some results for further analysis and welfare considerations. We are going to first replicate a well-known paper that had used the NYC school match data to compare different tie-breaking rules and so on. Then we will apply the alternative algorithm using the preferences data and compare our new matchings to those in the previous literature. In this study, not only will we be able to examine the new algorithm which intended to make students get into their more preferred schools, our empirical results will also be helpful for further studies.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

University of Connecticut (for Understanding the Impacts of School Preference on High School Students)

The exclusive purposes for which PISI will be used: The PISI will be used to examine the impact of school choice on student academic and non-academic outcomes. As differences in admission mechanism may impact student behavior once they attend school, these date will be used to identity difference.

How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Data will not be shared with, nor available to, any persons, subcontractors, or entities, with the exception of Morgaen Donaldson, the Associate Dean of Research at the Neag School of Education in her roles as the dissertation advisor to the PI.

When the agreement expires and what happens to PISI upon expiration of the agreement: This agreement will expire on 9/10/2023, and upon its expiration all data will be deleted from the enterprise file server at UConn.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. There will be no original data collection as part of this project – all data are administrative and collected by the NYCDOE.

Where the PISI will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted: All data will be stored on the UConn Enterprise File Server system. The specific folder for this project will only be accessible to the PI and the dissertation advisor, Dr. Morgaen Donaldson, Associate Dean of Research at the Naeg School of Education. Data will be encrypted both in motion and at rest using SSL and Bitlocker, respectively.

University of Kentucky (for Professional Development for Culturally Relevant Pedagogy in K-12 Computer Science)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 9/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Our objective is to understand the usefulness of professional development (PD) for teachers' implementation of culturally relevant practices in their computer science (CS) classrooms. More specifically, we aim to examine how, if at all, the knowledge and dispositions of teachers who participated in the “Exploring Equity in Computer Science” (EECS) professional development series have changed over time. Individual-level teacher records (i.e., teachers' responses to "exit tickets") will help us complete this study. Zitsi Mirakhur is conducting this study on behalf and at the request of the CS4All team.

Type of PII that the Entity will receive/access: Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

University of Michigan (for Family Preferences and Curricular Differentiation of NYC High Schools)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 1/9/2023 – 1/9/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. My objective is to study family preferences over the “theme” or academic focus of NYC high schools. There are two broader questions that I am interested in exploring, both focused on the implications of offering and explicitly categorizing academically-themed programs.

The first question is whether different preferences over academic theme by race, gender, income, or achievement lead to differential sorting into schools along these lines, and whether this sorting increases or decreases segregation. Observing the decisions each student makes on which schools to apply to, how to rank them, and whether to enroll, combined with school characteristics data, will enable me to infer how students weight various school characteristics in their decision. I will also be able to investigate how these preferences vary by student demographics.

The second question is whether students have better outcomes when they are matched to a school with their preferred academic theme, relative to schools of a different theme. I need individual-level data on student applications and outcomes to identify a student’s preferred school theme from their application, determine whether it matches the theme of the school they enroll, and link this information to their high school outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

University of Pennsylvania, Graduate School of Education (for Influence of Gifted and Talented Programs in New York City)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 4/1/2022 – 12/31/2022

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The largest school district in the country, the New York City Department of Education, is unmatched in its scale and density. The ecosystem of schools and students in NYC has created a unique opportunity for student enrollment, where families apply for student’s admission to pre-K, Grades K-5, middle, and high school programs throughout the city. While students often prefer, and do have the priority, to attend the district where they live, the influence of address diminishes greatly as students get older, and in some cases, much earlier. Pathways of students throughout their educational progression is a real policy interest for education researchers, and a crucial concern for efficacy and equity goals at the Department of Education. A specific feature of the enrollment process is gifted and talented (GT) enrollment. With about 80 programs in the city, compared to the almost 800 available elementary schools, GT programs are present in a minority of schools, reach a minority of students, and yet remain the focus of a major ongoing policy debate. One policy concern is that low-income and minority students are vastly under-represented in GT programs. In New York City public schools, just 14 percent of students in the GT program are black or Hispanic, compared with 60 percent of the entire student body. Opponents suggest removing the programs completely, and supporters propose expanding the programs in more low-income schools, as well as changing the identification of giftedness to increase exposure. In this study, we are interested in two questions. First, we will pursue a descriptive analysis of the change in GT options over a ten-year period in New York City, namely how those who apply and are accepted to the programs have been influenced by changing policy measures. We hope to extend this to a broader discussion of the supply and demand mismatch in the GT option, by coupling student level data with changes in malleable admissions criteria. Second, what is the influence of a GT program on a student who was accepted into the program, a student who was not accepted into the program, and a non-GT student who is in the same school as a GT program? The random allotment of the gifted classroom to some schools and not others provides an opportunity for this kind of natural experiment. Specifically, does the presence or absence of the GT classroom in a school affect student level outcomes in that school?

The purpose for collecting PII information on students, such as student level data of school name (DBN), student attendance, ELA standardized scores, and Math standardized scores, for 10 years, from the grades K-8, is so that we can track the paths of students in gifted programs, and those who were not selected into these programs, over time. Information at the student level helps to get at student level effects, in addition to school level effects that have been previously explored.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

University of Wisconsin – Madison (for Sorting, Commuting, and School Choice)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 8/20/2023 – 8/20/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. The purpose of the study is to understand how families’ school application behavior is determined by where they live as well as how potential reforms on the school admissions rule determine where they live.

Thus, we request (1) students’ geocoded home address at the Census block level, (2) students’ school application list, and (3) de-identified id through we can merge home address and application.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Westat (for Early Childhood Longitudinal Study, Kindergarten Class of 2023-24 (ECLSK:2024))

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 11/15/2023 – 11/15/2028

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Early Childhood Longitudinal Study, Kindergarten Class, 2023-24 (ECLSK:2024) is a national study focusing on children’s development from birth through elementary school. Through child cognitive assessments, child height/weight assessments (select schools), and parent, teacher, and administrator surveys, ECLS-K:2024 will provide educators, families, researchers, and policymakers with important information that can be used to improve children’s educational experiences. ECLS-K:2024 is conducted by the National Center for Education Statistics of the U.S. Department of Education. Westat is the contractor responsible for the ECLS-K: 2024 sample design and data collection. As part of ECLS-K:2024, districts and schools are randomly selected for participation. Within participating schools, kindergarten students are randomly selected to participate. To select students, Westat will request kindergarten roster data for selected schools in early spring 2024. Parents of selected students will be invited to provide consent for their child to participate. For consented students Westat will request additional data to facilitate assessment administration, including the kindergarten type and time of day, home language, whether the child has an IEP, whether the child requires any testing accommodations, and teacher name and classroom of selected students.

Type of PII that the Entity will receive/access: Student PII and Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor and using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Yale University (for Belief and Preference Identification in School Choice)

Type of Entity: Research or Evaluation Institution or University

Contract / Agreement Term: 3/23/2021 – 3/1/2026

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. We intend to estimate and quantify the roles of students’ preferences and information about the schools, and beliefs about assignment chances, with regards to NYC’s centralized high school assignments. Student-level data is necessary to estimate the distribution of students’ preferences, information, and beliefs, and to link student-level characteristics to their application behavior and assignment outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will not share PII with subcontractors, outside persons, or third party entities.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Organization-owned and/or internally hosted-solution.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology. 

Zearn (for Impact of Zearn Math on Student Achievement in New York City)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 11/17/2023 – 11/17/2025

Describe briefly the project/evaluation/research you are conducting or participating in and briefly describe the purposes for which you are receiving or accessing PII. Student PII is used to match students to Zearn usage data and create comparable groups of consistent Zearn Math users and non-users, based on similar starting math and ELA assessment scores, grade, and a multitude of demographic factors. This facilitates the quasi-experimental method of Coarsened Exact Matching (CEM) that Zearn will use for this analysis, which enables the analysis to isolate the impact of Zearn Math on differences in students’ academic growth.Zearn seeks to partner with NYCDOE to analyze the effect of Zearn Math lesson completion on student achievement in math as measured by the New York State ELA and Mathematics Test assessments, as well as the iReady and MAP interim assessment tests. The analysis will assess the effect of Zearn Math on student math achievement, overall and by subgroup, using changes in scale scores and mobility between achievement levels. For this efficacy analysis, Zearn will use the quasi-experimental method of Coarsened Exact Matching (CEM) to create comparable groups of consistent Zearn Math users and non-users, based on similar starting math and ELA assessment scores, grade, and a multitude of demographic factors, in order to isolate the impact of Zearn Math on differences in students’ academic growth.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Organization may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The Organization will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII in accordance with the signed NDA/data agreement and DOE policies.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Data Privacy Safeguards. The Organization must comply with certain administrative, technical and/or physical safeguards to ensure PII will be protected and to mitigate data privacy and security risks. By agreeing to this section and checking all the boxes below, the Organization is representing that it can meet, at a minimum, all of the following data security and privacy safeguards:

  • Have a risk management strategy to identify and detect data security incidents;
  • Have data security protocols and procedures in place to protect data assets;
  • Have a security incident monitoring system in place to identify cybersecurity events;
  • Have a data incident response plan in place and a mitigation procedure to ensure an effective response and containment response to any security breach;
  • Have a recovery process in place to ensure restoration of systems or assets affected by a security incident; and
  • Have set access controls such that access is only provided to staff with a need to use the information for the purposes of the study/research.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Organization agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Organization agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.